The Future of Indoor Plumbing Dr Ken Klingenstein Director, Internet2 Middleware and Security

Topics The Work So far Indoor, policy-based plumbing IdM in the enterprise Inter-realm and inter-institutional The Next Several Years Internet identity Interfederation and confederation In collaboration and virtual organizations In the Internet of Things In the attribute ecosystem and the Tao of Attributes

Over the last ten years, we’ve built Enterprise identity middleware plumbing Directories, Authentication, Single Sign-on, Group managers, some authorization Connected the applications to the plumbing Extended the enterprise to work in a bigger world with federations Created a foundation for collaboration

Enterprise IdM middleware plumbing 4

Indoor, policy-based plumbing Before this, each application had to provide its own identity management – authentication, groups and privileges, etc After this, applications can use an set of pipes and services that provide basic identity Applications can concentrate on what they are special at The pipes have standard interfaces to help the applications use them What flows through these pipes are identity, assurance and attributes

Connecting applications to plumbing Academic applications E-learning, Grids, Access to Digital content Administrative applications The infrastructure apps Legacies and the systems of records The collaboration tools email, web, calendaring, IM, etc… (Collaboration management platforms) The network layer needs plumbing too (Firewall negotiation, Spam control, Network access)

E-learning

Grids

The Legacy Administrative Apps

Federation - Extending beyond the institution The need to collaborate drove the R&E community to create SAML and Shibboleth Federations have technical and policy sides Aggregate, secure, and distribute members’ metadata Coordinate policies, attributes, etc Showed that privacy, secrecy and security could coexist Now applies to clouds, national service providers

Early federations without indoor plumbing

Modern federation

Looking back, some of the easier pieces… The design of the technology – “we saw a different problem and solved it in the obvious way” Getting attention – the need for Internet identity was growing We are not so much different from the corporate world – we just have a more urgent need to collaborate beyond our organizational borders

Looking back, some of the hard parts... Implementing the technologies Policies - Getting the institution to understand what it does and document it The many types of communities we serve The embedded base of bad solutions Having the legacy applications learn to rely on, and supply, the middleware layer Dealing with a mess of privacy laws

Middleware Architects

Looking Forward The future of Internet identity and privacy Interfederation and confederation Collaborations and Virtual Organizations Non-web applications The Internet of things The Attribute Ecosystem and the Tao of Attributes

Internet identity futures Integration of social networking and federated identity technologies OpenId within the Shibboleth platform eduPersonOpenId? Attribute management within OpenId Focus on business processes, not on protocols Privacy management by end-users The attribute ecosystem becomes the real set of issues

Interfederation Connecting autonomous federations Critical for global scaling, accommodating state and local federations, integration across sectors Has technical, financial and policy dimensions Elegant technical solution being developed in the eduGAIN project of Geant Policy activities in Kalmar2 Union, Geant, Kantara, Terena

MDX – metadata exchange protocol Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata

Confederation The union of federations Primary use case is Europe Ultimately represents an alignment of policies (privacy, cookies, etc), attributes (semantics), and others more than a technology Policy space looks very hard Differences among national policies Differences between national and EU policies Differences between policies and courts

Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.

Domestication of applications The work of re-factoring applications to use the emergent identity services infrastructure Begins with federated identity and authentication, use of directories; gains a lot from group management for access control, etc Needs a fine grain set of authorization tools down the road Domesticated apps can receive IdM attributes via LDAP, SAML, X.509, SQL, Kerberos PAC, and maybe all of the above

COmanage can provide authentication and basic authorization services (group membership, privilege management, etc) to domesticated apps “Domesticated” applications currently include Mediawiki, Confluence, Jira, Subversion, Sympa, Listserv, Drupal, Nagios, Wordpress, Git. Plan to add audioconferencing, IM and chat rooms, EC2, Fedora, web-based file share, etc. Not “collaboration in a box”. More collaboration in an open-standard, integrated box. The “stand-alone” can be readily replumbed to be completely integrated into enterprise, federated or other attribute ecosystems as they develop Implemented as a service or as a VM, perhaps in a cloud

Collaboration Management Platform (CMP) and the Attribute Ecosystem Collaboration Tools/ Resources File Sharing Calendar Email List Manager Phone/ Video Conference Federated Wiki Domain Science Grid Domain Science Instrument Application Attributes C o manage Collaboration Management Platform Authorization – Group Info Authorization – Privilege Info Authentication People Picker Other Functions Attribute/Resource Info Data Store Attribute Ecosystem Flows Laboratory X Home Org & Id Providers/ Sources of Authority University A University B Sources of Authority

End user accesses a service confluence drupal sympa apache/IIS bedework SAKAI3 TeraGrid uPortal webFiles Google Groups legacy OSG End user accesses a service User goes to service Redirected to platform IdP, then back to user’s home Platform attributes, groups, and privs added SP Local store local store user attrs user accounts groups & privs platform use provisioner policy engine monitoring diagnostics user invitation account linking service manager register provisioning user dashboard service status notifications access manager groups privileges IdP STS LDAP ID services 3 2 end user Variants: service gets attributes etc from LDAP or from ID services. Variant: service (or container it’s in) uses STS to obtain usable user token. Org IdP

End user accesses a service confluence drupal sympa apache/IIS bedework SAKAI3 TeraGrid uPortal webFiles Google Groups legacy OSG End user accesses a service User goes to service Redirected to platform IdP, then back to user’s home Platform attributes, groups, and privs added 2 3 1 SP Local store local store user attrs user accounts groups & privs platform use provisioner policy engine monitoring diagnostics user invitation account linking service manager register provisioning user dashboard service status notifications access manager groups privileges IdP STS LDAP ID services 3 2 end user 2 Variants: service gets attributes etc from LDAP or from ID services. Variant: service (or container it’s in) uses STS to obtain usable user token. Org IdP

Collabmin adds a new CO to the platform confluence drupal sympa apache/IIS bedework SAKAI3 TeraGrid uPortal webFiles Google Groups legacy OSG Collabmin adds a new CO to the platform Create group, assign Admin to power user Allocate service resources 2 SP Local store local store user attrs user accounts groups & privs platform use provisioner policy engine monitoring diagnostics user invitation account linking service manager register provisioning user dashboard service status notifications access manager groups privileges IdP STS LDAP ID services collabmin 1 2 Until services expose service management WS interfaces, allocating service resources might be done by encapsulating service management UIs in portlets, so that they are all have collabmin sessions established and waiting for the collabmin to use them. Org IdP

Non web applications Many non-web apps want federated identity – wireless roaming, videoconferencing, soft phones, signed email, Grids, next-generation Internet, calendaring, etc. Adding federated authentication and authorization to them is generally engineered on a per case basis. The embedded base of devices, systems, etc that are part of the non-web applications space is huge and diverse. ISOC, GEANT and others are interested but the task is daunting.

Non-web Applications

The Internet of things We have built the Internet of computers and now the Internet of people and identity; next is things. Federation is a powerful model – it provides a degree of local freedom but a scalable infrastructure; with interfederation it can reach Internet scale. Devices need to have identity, attributes, access control privileges, etc that tend to federate and also need to interact with identity federation. Next generation Internet work has many types of federated voodoo – federations of identities, of firewalls, of routers, etc.

Trust, Identity and the Internet Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities http://www.isoc.org/isoc/mission/initiative/trust.shtml ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols First target area is DKIM; subsequent targets include SIP and firewall traversal (trust-mediated transparency)

The Attribute Ecosystem Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around – SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the “access control” layer of infrastructure

Attribute use cases are rapidly emerging Disaster “first responders” attributes and qualifications dynamically Access-ability use cases Public input processes – anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The “IEEE” problem The “over legal age” and the difference in legal ages use cases Self-asserted attributes – friend, interests, preferences, etc

Attribute aggregation Metadata of attributes, LOA, etc Key Issues Attribute aggregation Metadata of attributes, LOA, etc Sources of authority and delegation Schema management, mapping, etc User interface Privacy and legal issues

Attribute aggregation From where - Gathering attributes from multiple sources From IdP or several IdP From other sources of authority From intermediaries such as portals When - static and dynamic acquisition Some attributes are volatile (group memberships); others are static (Date of Birth) Some should be acquired per assertion; some once in a boarding process Will require a variety of standardized mechanisms – Bulk feeds, user activated links, triggers

The Tao of Attributes workshop 属性之道 Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc. Webcast at http://videocast.nih.gov/PastEvents.asp Twittered at TAOA http://middleware.internet2.edu/tao-of-attributes/

Principles of the Tao Least privilege/minimal release Using data “closest” to source of authority Late and dynamic bindings where possible Dynamic identity data increases in value the shorter the exposure. How much meaning is encoded in the attribute versus context, metadata? How much flat attribute proliferation can be managed through a structured data space?

Future applications

But without the indoor plumbing...

Noel